Opened 6 years ago

Closed 6 years ago

#4191 closed defect (fixed)

Undefined behaviour in ptarray_clone_deep

Reported by: Algunenano Owned by: Algunenano
Priority: medium Milestone: PostGIS 2.2.8
Component: postgis Version: 2.2.x
Keywords: Cc:

Description

Detected running regress tickets under gcc -fsanitize=undefined -fsanitize-undefined-trap-on-error`.

There is a zero length allocation that can lead to out->serialized_pointlist being NULL (https://wiki.sei.cmu.edu/confluence/display/c/MEM04-C.+Beware+of+zero-length+allocations) which is not valid as input for memcpy: ` If an argument to a function has an invalid value (such as a value outside the domain of the function, or a pointer outside the address space of the program, or a null pointer, or a pointer to non-modifiable storage when the corresponding parameter is not const-qualified) or a type (after promotion) not expected by a function with variable number of arguments, the behavior is undefined. ` 

Core was generated by `postgres: raul postgis_reg [local] SELECT  '.
Program terminated with signal SIGILL, Illegal instruction.
#0  0x00007f1aebe19e41 in ptarray_clone_deep (in=0x55c488ddf5f0) at ptarray.c:637
637             memcpy(out->serialized_pointlist, in->serialized_pointlist, size);
(gdb) p size
$1 = 0
(gdb) p *in
$3 = {serialized_pointlist = 0x0, flags = 0 '\000', npoints = 0, maxpoints = 0}
(gdb) bt
#0  0x00007f1aebe19e41 in ptarray_clone_deep (in=0x55c488ddf5f0) at ptarray.c:637
#1  0x00007f1aebe2b0a2 in lwline_clone_deep (g=0x55c488ddf5c0) at lwline.c:126
#2  0x00007f1aebe22329 in lwgeom_clone_deep (lwgeom=0x55c488ddf5c0) at lwgeom.c:522
#3  0x00007f1aebe34436 in lwcollection_clone_deep (g=0x55c488ddf570) at lwcollection.c:159
#4  0x00007f1aebe22347 in lwgeom_clone_deep (lwgeom=0x55c488ddf570) at lwgeom.c:535
#5  0x00007f1aebeb3b5a in lwgeom_linemerge (geom=0x55c488ddf570) at lwgeom_geos.c:642
#6  0x00007f1aebccd73c in linemerge (fcinfo=0x55c488dbdfd0) at lwgeom_geos.c:3041
#7  0x000055c487667870 in ExecInterpExpr (state=0x55c488dbd688, econtext=0x55c488dbcea0, isnull=0x7fffc06a8ddf) at execExprInterp.c:678

Change History (6)

comment:2 by Raul Marin, 6 years ago

In 16867:

Fix undefined behaviour in ptarray_clone_deep

References #4191

comment:3 by Raul Marin, 6 years ago

In 16868:

Fix undefined behaviour in ptarray_clone_deep

References #4191

comment:4 by Raul Marin, 6 years ago

In 16869:

Fix undefined behaviour in ptarray_clone_deep

References #4191

comment:5 by Raul Marin, 6 years ago

In 16870:

Fix undefined behaviour in ptarray_clone_deep

References #4191

comment:6 by Raul Marin, 6 years ago

Resolution: fixed
Status: assignedclosed

In 16871:

Fix undefined behaviour in ptarray_clone_deep

Closes #4191
Closes https://github.com/postgis/postgis/pull/311/

Note: See TracTickets for help on using tickets.